Skip to main content

LDAP with ASP.Net Identity Core in MVC with project.json

Lightweight Directory Access Protocol (LDAP), the name itself explain it. An application protocol used over an IP network to access the distributed directory information service.

The first and foremost thing is to add references for consuming LDAP. This has to be done by adding reference from Global Assembly Cache (GAC) into project.json

 "frameworks": {  
  "net461": {  
   "frameworkAssemblies": {  
    "System.DirectoryServices": "4.0.0.0",  
    "System.DirectoryServices.AccountManagement": "4.0.0.0"  
   }  
  }  
 },  

These System.DirectoryServices and System.DirectoryServices.AccountManagement references are used to consume LDAP functionality.

It is always better to have an abstraction for irrelevant items in consuming part. For an example, the application does not need to know about PrincipalContext or any other dependent items from those two references to make it extensible. So, we can begin with some basic interface implementation which suits us.

 public interface IActiveDirectory<TUser>  
   where TUser : IdentityUser  
 {  
   /// <summary>  
   /// Finds the user by identity asynchronously.  
   /// </summary>  
   /// <param name="userId">The user id.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>User information.</returns>  
   Task<TUser> FindByIdentityAsync(string userId, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Gets the user roles asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>Roles for the user.</returns>  
   IList<string> GetUserRolesAsyc(string username, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="identity">The identity.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns><c>true</c>if user is authenticated;<c>false</c>for unauthorized user.</returns>  
   Task<bool> IsAuthenticatedAsync(IIdentity identity, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="password">The password.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns><c>true</c>if user is authenticated;<c>false</c>for unauthorized user.</returns>  
   Task<bool> IsAuthenticatedAsync(string username, string password, CancellationToken cancellationToken = default(CancellationToken));  
   /// <summary>  
   /// Gets Authenticated user claim asynchronous.  
   /// </summary>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>Authenticated user claims.</returns>  
   Task<ClaimsIdentity> AuthenticatedUserClaimAsync(CancellationToken cancellationToken = default(CancellationToken));  
 }  

It is just the basic structure, but can be modified based on need.

With this structure, we need to have a proper definition for each item and in that, we would using the added references.

 public sealed class ActiveDirectoryLdap  
   : IActiveDirectory<User>, IDisposable  // TODO: Actual model 

 {  
   //  
   /// <summary>  
   /// The principal context  
   /// </summary>  
   private readonly PrincipalContext PrincipalContext;  
   /// <summary>  
   /// Initializes a new instance of the <see cref="ActiveDirectoryLdap"/> class.  
   /// </summary>  
   /// <param name="principalContext">The principal context.</param>  
   public ActiveDirectoryLdap(PrincipalContext principalContext)  
   {  
     PrincipalContext = principalContext;  
   }  
   /// <summary>  
   /// Gets Authenticated user claim asynchronous.  
   /// </summary>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   /// Authenticated user claims.  
   /// </returns>  
   public Task<ClaimsIdentity> AuthenticatedUserClaimAsync(CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var user = UserPrincipal.Current;  
     if (user != null)  
     {  
       using (var adUser = UserPrincipal.FindByIdentity(PrincipalContext, user.Name))  
       {  
         if (adUser != null)  
         {  
           return Task.FromResult(CreateClaims(adUser));  
         }  
       }  
     }  
     return Task.FromResult(new ClaimsIdentity());  
   }  
   /// <summary>  
   /// Creates the claims as Active Directory User.  
   /// </summary>  
   /// <param name="user">The user.</param>  
   /// <returns>Claims for user.</returns>  
   private ClaimsIdentity CreateClaims(UserPrincipal user)  
   {  
     var identity = new ClaimsIdentity();  
     if (user != null)  
     {  
       identity.AddClaims(new[]  
       {  
         new Claim(ClaimTypes.Name, user.Name),  
         new Claim(ClaimTypes.Email, user.EmailAddress),  
         new Claim(ClaimTypes.NameIdentifier, user.Name),  
         new Claim(ClaimTypes.Name, user.DisplayName),  
         new Claim(ClaimTypes.GivenName, user.GivenName)  
       });  
     }  
     return identity;  
   }  
   /// <summary>  
   /// Finds the user by identity asynchronously.  
   /// </summary>  
   /// <param name="userId">The user id.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   /// User information.  
   /// </returns>  
   public Task<User> FindByIdentityAsync(string userId,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var directoryUser = UserPrincipal.FindByIdentity(PrincipalContext, userId);  
     if (directoryUser != null)  
     {  
       return Task.FromResult(new User 
       {  
         //Id = userId,  
         UserName = userId,  
         Email = directoryUser.EmailAddress,  
         //FirstName = directoryUser.GivenName,  
         //LastName = directoryUser.Surname,  
         //DisplayName = directoryUser.Name  
       });  
     }  
     return Task.FromResult<User>(null);  
   }  
   /// <summary>  
   /// Gets the user roles asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   /// Roles for the user.  
   /// </returns>  
   public IList<string> GetUserRolesAsyc(string username,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var rols = new List<string>();  
     if (IsUserInGroup(username, "viewer"))  
     {  
       rols.Add("viewer");  
     }  
     if (IsUserInGroup(username, "admin"))  
     {  
       rols.Add("admin");  
     }  
     return rols;  
   }  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="identity">The identity.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   ///  <c>true</c>if user is authenticated;<c>false</c>for unauthorized user.  
   /// </returns>  
   public Task<bool> IsAuthenticatedAsync(IIdentity identity,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     var userPrincipal = UserPrincipal.FindByIdentity(PrincipalContext,  
                         IdentityType.SamAccountName,  
                         identity.Name);  
     return Task.FromResult(userPrincipal != null);  
   }  
   /// <summary>  
   /// Determines whether user is authenticated asynchronously.  
   /// </summary>  
   /// <param name="username">The username.</param>  
   /// <param name="password">The password.</param>  
   /// <param name="cancellationToken">The cancellation token.</param>  
   /// <returns>  
   ///  <c>true</c>if user is authenticated;<c>false</c>for unauthorized user.  
   /// </returns>  
   public Task<bool> IsAuthenticatedAsync(string username, string password,  
     CancellationToken cancellationToken = default(CancellationToken))  
   {  
     return Task.FromResult(PrincipalContext.ValidateCredentials(username, password));  
   }  
   /// <summary>  
   /// Determines whether specified user is in group.  
   /// </summary>  
   /// <param name="user">The user.</param>  
   /// <param name="group">The group.</param>  
   /// <returns><c>true</c>if user is in group;<c>false</c>for not in a group.</returns>  
   private bool IsUserInGroup(string user, string group)  
   {  
     bool found = false;  
     try  
     {  
       var gropPrincipal = GroupPrincipal.FindByIdentity(PrincipalContext, group);  
       var userPrincipal = UserPrincipal.FindByIdentity(PrincipalContext, IdentityType.SamAccountName, user);  
       if (gropPrincipal != null)  
       {  
         found = gropPrincipal.GetMembers(true)  
           .Contains(userPrincipal);  
       }  
     }  
     catch (Exception)  
     {  
       found = false;  
     }  
     return found;  
   }  
   #region " IDisposable "  
   /// <summary>  
   /// Disposed  
   /// </summary>  
   private bool disposed = false;  
   /// <summary>  
   /// Performs application-defined tasks associated with freeing, releasing, or resetting unmanaged resources.  
   /// </summary>  
   public void Dispose()  
   {  
     Dispose(true);  
     GC.SuppressFinalize(this);  
   }  
   /// <summary>  
   /// Releases unmanaged and - optionally - managed resources  
   /// </summary>  
   /// <param name="disposing"><c>true</c> to release both managed and unmanaged resources.</param>  
   private void Dispose(bool disposing)  
   {  
     if (!disposed)  
     {  
       if (disposing)  
       {  
         PrincipalContext.Dispose();  
       }  
     }  
     this.disposed = true;  
   }  
   #endregion " IDisposable "  


Ideally, whenever a user visits they should be automatically allowed to log in. So for that, we would be customizing UserManager to create our own function and call on the login page.

 public class MyProjectUserManager  
   : UserManager<User>  
 {  
   /// <summary>  
   ///   The active directory  
   /// </summary>  
   private readonly IActiveDirectory<User> ActiveDirectory;  
   /// <summary>  
   ///   Gets a flag indicating whether the Active Directory is supported.  
   /// </summary>  
   public readonly bool SupportsActiveDirectory;  
   /// <summary>  
   ///   Initializes a new instance of the <see cref="MyProjectUserManager" /> class.  
   /// </summary>  
   /// <param name="store">The store.</param>  
   /// <param name="optionsAccessor">The options accessor.</param>  
   /// <param name="passwordHasher">The password hasher.</param>  
   /// <param name="userValidators">The user validators.</param>  
   /// <param name="passwordValidators">The password validators.</param>  
   /// <param name="keyNormalizer">The key normalizer.</param>  
   /// <param name="errors">The errors.</param>  
   /// <param name="services">The services.</param>  
   /// <param name="logger">The logger.</param>  
   /// <param name="activeDirectory">The active directory.</param>  
   public MyProjectUserManager(IUserStore<User> store, IOptions<IdentityOptions> optionsAccessor,  
     IPasswordHasher<User> passwordHasher, IEnumerable<IUserValidator<User>> userValidators,  
     IEnumerable<IPasswordValidator<User>> passwordValidators, ILookupNormalizer keyNormalizer,  
     IdentityErrorDescriber errors, IServiceProvider services, ILogger<UserManager<User>> logger,  
     IActiveDirectory<User> activeDirectory)  
     : base(store, optionsAccessor, passwordHasher, userValidators, passwordValidators, keyNormalizer,  
       errors, services, logger)  
   {  
     ActiveDirectory = activeDirectory;  
     SupportsActiveDirectory = activeDirectory != null;  
   }  
   /// <summary>  
   ///   Gets the Active Directory user claims.  
   /// </summary>  
   /// <returns></returns>  
   private async Task<ClaimsIdentity> GetAdUserClaims()  
   {  
     if (SupportsActiveDirectory)  
     {  
       return await ActiveDirectory.AuthenticatedUserClaimAsync();  
     }  
     var identity = new ClaimsIdentity();  
     return await Task.FromResult(identity);  
   }  
   /// <summary>  
   ///   Gets or create Active Directory user entry and returns same.  
   /// </summary>  
   /// <returns></returns>  
   public async Task<User> GetOrCreateAdUser()  
   {  
     var adUserClaim = await GetAdUserClaims();  
     //if (adUserClaim.IsAuthenticated && adUserClaim.Claims.Any())  
     if (adUserClaim.Claims.Any())  
     {  
       var availableUser = await FindByNameAsync(adUserClaim.Name);  
       if (availableUser != null)  
       {  
         return await Task.FromResult(availableUser);  
       }  
       var usr = new User  
       {  
         UserName = adUserClaim.FindFirst(c => c.Type == ClaimTypes.NameIdentifier).Value,  
         Email = adUserClaim.FindFirst(c => c.Type == ClaimTypes.Email).Value  
       };  
       var result = await CreateAsync(usr);  
       if (result.Succeeded)  
       {  
         var claimsRes = await AddClaimsAsync(usr, adUserClaim.Claims);  
         if (claimsRes.Succeeded)  
         {  
           return await Task.FromResult(usr);  
         }  
       }  
     }  
     return await Task.FromResult(default(User));  
   }  
 }  

The function GetOrCreateAdUser needs to be called on Login Get Action. This would create an entry into AspNet Identity Core. Please mark that it is being used to create a direct user in AspNet Identity without providing a password. It can be also customized to allow as external login.

The Get request for Login action.

 [HttpGet]  
 [AllowAnonymous]  
 public Task<IActionResult> Login(string returnUrl = null)  
 {  
   var adUser = await UserManager.GetOrCreateAdUser();  
   if (adUser != null)  
   {  
     //SignInManager.ExternalLoginSignInAsync()  
     await SignInManager.SignInAsync(adUser, false, CookieAuthenticationDefaults.AuthenticationScheme);  
     return RedirectToLocal(returnUrl);  
   }  
   ViewData["ReturnUrl"] = returnUrl;  
   return View();  
 }  

That is all we need to do, the final part is to setup dependency injection for IActiveDirectory under Startup.cs.

 services.AddScoped<IActiveDirectory<User>>(provider =>  
 {  
   try  
   {  
     var adServerPath = Configuration.GetSection("AppSettings").Get<string>("LdapUrl"); // From configuration  
     return new ActiveDirectoryLdap(new PrincipalContext(ContextType.Domain, adServerPath));  
   }  
   catch (PrincipalServerDownException) // Avoid LDAP if not available.  
   {  
   }  
 });  



Popular posts from this blog

Handling JSON DateTime format on Asp.Net Core

This is a very simple trick to handle JSON date format on AspNet Core by global settings. This can be applicable for the older version as well.

In a newer version by default, .Net depends upon Newtonsoft to process any JSON data. Newtonsoft depends upon Newtonsoft.Json.Converters.IsoDateTimeConverter class for processing date which in turns adds timezone for JSON data format.

There is a global setting available for same that can be adjusted according to requirement. So, for example, we want to set default formatting to US format, we just need this code.


services.AddMvc() .AddJsonOptions(options => { options.SerializerSettings.DateTimeZoneHandling = "MM/dd/yyyy HH:mm:ss"; });



Architecture solution composting Repository Pattern, Unit Of Work, Dependency Injection, Factory Pattern and others

Project architecture is like garden, we plant the things in certain order and eventually they grow in similar manner. If things are planted well then they will all look(work) great and easier to manage. If they grow as cumbersome it would difficult to maintain and with time more problems would be happening in maintenance.

There is no any fixed or known approach to decide project architecture and specially with Agile Methodology. In Agile Methodology, we cannot predict how our end products will look like similarly we cannot say a certain architecture will fit well for entire development lifespan for project. So, the best thing is to modify the architecture as per our application growth. I understand that it sounds good but will be far more problematic with actual development. If it is left as it is then more problems will arise with time. Just think about moving plant vs a full grown tree.

Coming to technical side, In this article, I will be explaining about the various techniques tha…

Elegantly dealing with TimeZones in MVC Core / WebApi

In any new application handling TimeZone/DateTime is mostly least priority and generally, if someone is concerned then it would be handled by using DateTime.UtcNow on codes while creating current dates and converting incoming Date to UTC to save on servers.
Basically, the process is followed by saving DateTime to UTC format in a database and keep converting data to native format based on user region or single region in the application's presentation layer.
The above is tedious work and have to be followed religiously. If any developer misses out the manual conversion, then that area of code/view would not work.
With newer frameworks, there are flexible ways to deal/intercept incoming or outgoing calls to simplify conversion of TimeZones.
These are steps/process to achieve it. 1. Central code for storing user's state about TimeZone. Also, central code for conversion logic based on TimeZones. 2. Dependency injection for the above class to be able to use globally. 3. Creating Mo…

Unit Of Work injection through Asp.Net Core Dependency Injection

This article is not directly related to UnitOfWork but leveraging Asp.Net Core Dependency Injection to consume Unit Of Work.

In one of the previous article about project architecture, I was not very satisfied with the approach for Unit Of Work implementation for initialization of repository even if with some advantage.

Here is old code for UnitOfWork.

public sealed partial class MyProjectUnitOfWork : UnitOfWork<DbContext>, IMyProjectUnitOfWork { public MyProjectUnitOfWork(IContextFactory<DbContext> contextFactory) : base(contextFactory) { } /// <summary> /// BookRepository holder /// </summary> private MyProject.DB.Repository.BookRepository _bookRepository; /// <summary> /// Gets the BookRepository repository. /// </summary> /// <value> /// The BookRepository repository. /// </value> MyProject.Interface.Repository.IBoo…

Configuring Ninject, Asp.Net Identity UserManager, DataProtectorTokenProvider with Owin

It can be bit tricky to configure both Ninject and Asp.Net Identity UserManager if some value is expected from DI to configure UserManager. We will look into configuring both and also use OwinContext to get UserManager.

As usual, all configuration need to be done on Startup.cs. It is just a convention but can be used with different name, the important thing is to decorate class with following attribute to make it Owin start-up:

[assembly: OwinStartup(typeof(MyProject.Web.Startup))]
Ninject configuration

Configuring Ninject kernel through method which would be used to register under Owin.

Startup.cs
public IKernel CreateKernel() { var kernel = new StandardKernel(); try { //kernel.Bind<IHttpModule>().To<HttpApplicationInitializationHttpModule>(); // TODO: Put any other injection which are required. return kernel; } catch { kernel.Dispose(); throw; }…

Global exception handling and custom logging in AspNet Core with MongoDB

In this, we would be looking into logging and global exception handling in the AspNet Core application with proper registration of logger and global exception handling.

Custom logging
The first step is to create a data model that we want to save into DB.

Error log Data model
These are few properties to do logging which could be extended or reduced based on need.

public class ErrorLog { /// <summary> /// Gets or sets the Error log identifier. /// </summary> /// <value> /// The Error log identifier. /// </value> [BsonRepresentation(BsonType.ObjectId)] public ObjectId Id { get; set; /// <summary> /// Gets or sets the date. /// </summary> /// <value> /// The date. /// </value> public DateTime Date { get; set; } /// <summary> /// Gets or sets the thread. /// </summary> /// <v…

Kendo MVC Grid DataSourceRequest with AutoMapper

Kendo Grid does not work directly with AutoMapper but could be managed by simple trick using mapping through ToDataSourceResult. The solution works fine until different filters are applied.
The problems occurs because passed filters refer to view model properties where as database model properties are required after AutoMapper is implemented.
So, the plan is to intercept DataSourceRequest  and modify names based on database model. To do that we are going to create implementation of CustomModelBinderAttribute to catch calls and have our own implementation of DataSourceRequestAttribute from Kendo MVC. I will be using same source code from Kendo but will replace column names for different criteria for sort, filters, group etc.
Let's first look into how that will be implemented.
public ActionResult GetRoles([MyDataSourceRequest(GridId.RolesUserGrid)] DataSourceRequest request) { if (request == null) { throw new ArgumentNullException("reque…

Custom authorization on class, action/function, code, area level under Asp.Net MVC application

With evolution of ASP.Net MVC there are lot of inbuilt feature came and evolved with time. One of those is Authorization and Custom Authorization. The in-built function is sufficient enough to handle anonymous user restriction, user based on there name, specific roles for user with just single class AuthorizeAttribute.
To implement we need to decorate attribute on any given class, action based on need.
Example:

[Authorize] public ActionResult Test() { }
By just providing Authorize attribute anonymous user are restricted. It has Roles and Users property parameters to restrict access based on certain role or user which can accept multiple values by comma separated as string format.

In one of the situation, I got chance to built an authorization where roles keep changing. Administrator can add new role, delete any role or modify existing role. In that situation we cannot map roles with codes. So, there were two way to achieve by creating group of roles and letting administra…

T4, Generating interface automatically based on provided classes

With new techniques and patterns interface plays a key role in application architecture. Interface makes application extendable like defining file upload interface and implementing based on file system, Azure Blob storage, Amazon S3. At starting we might be implementing based on Azure Blob but later we might move to Windows based file system and so on.

Ideally we create interface based on need and start implementing actual default implementation class. Many a times at starting of implementation there is one to one mapping between Interface and Class. Like from above example File upload interface and the initial or default class implementation that we design and with time it will get extended.
In this article, we will try to create interface based on default class implementation. This is not at all recommended in Test Driven Design (TDD) where we test the application before actual code implementation but I feel sometimes and in some situations it is okay do that and test straight afte…